On 10/9/25 12:55 PM, Clément OUDOT wrote:
Le 09/10/2025 à 17:49, Brendan Kearney a écrit :
List members,
i am running 3 OpenLDAP servers in a multi-provider replication
setup, with HAProxy load balancing access to the service. i want to
implement proxy-protocol, in order to see the client IP, not just the
load balancers Source NAT. there are some hang ups i found when i
tried this and i'm wondering if there is an easier way, or if i have
all the places where config changes are needed.
to start, i modified the startup configs so the "-h" parameter was
"pldap://host.domain.tld". then i changed the olcServerID entries in
cn=config to match. next i changed the olcSyncRepl entries to include
"provider=pldap://host.domain.tld". then i made the changes to the
HAProxy service and restarted everything.
what i found was the replication failed, as the ldap instances were
not sending the proxy-protocol headers to each other when attempting
to initiate connections for replication. they replicate directly
between each other and do not talk to the load balancer for
replication. i may or may not have to change the "provider" string
in the olcSyncRepl configs (i would like to confirm if this is needed
or not), but ultimately the instances don't send the proxy-protocol
headers so replication connections do not establish, and replication
does not occur.
as the servers stand, they only listen on one interface and all
communication happens on this interface. the client connections
coming from HAProxy, as well as replication connections all go in/out
this one interface. is there a hack that can allow pldap:// and
ldap:// listeners to exist on the same interface? if not, would i
need to add some different interface for replication? the startup
configs would then have "-h pldap://host.domain.tld
ldap://host-repl.domain.tld". the olcServerID entries would be
"ldap://host-repl.domain.tld";, and the olcSyncRepl entries would be
"provider=ldap://host-repl-domain.tld";.
are there any tips or tricks about doing this a different way? if
not, do i have all the places that config changes are needed, to get
this working correctly?
You need to set different ports for the pldap:// adresses.
See LTB documentation:
https://ltb-project.org/documentation/haproxy_openldap_proxy_protocol.html
That was easy. Way easier than i was making it out be. Thanks for the
help.
brendan kearney
